Why isn’t LUKS2 the default yet?

I tried enabling discard with cryptsetup --allow-discards --persistent for my LUKS-based BTRFS on my SSD, but it didn’t work. It gave me the warning:

This operation is supported only for LUKS2 device.

I hadn’t realized that Manjaro still defaults to LUKS1.
Hmm, I guess I’ll have to chroot and manually upgrade to LUKS2 after making a backup.

LUKS2 is not new, it’s been around for 7 years! But Manjaro is a rolling release!?
My question is, why isn’t LUKS2 the default yet?

What I read:

the “regular” grub bootloader cannot open LUKS2 encrypted volumes,
but this is how the Calamares installer creates encrypted setups.
that is why the Calamares installer creates encrypted setups using LUKS1.

There would be no problem using LUKS2 with /boot/efi unencrypted,
so that the boot loader can access the initrd.

If you just go ahead and convert your LUKS1 to LUKS2 you’ll very likely not be able to boot anymore.

2 Likes

Yes?

But what?

See the Calamares installer github issue tracker

See → LUKS2 unusable in current state · Issue #2129 · calamares/calamares · GitHub
See → Allow to select between luks and luks2 when creating encrypted partition · Issue #1643 · calamares/calamares · GitHub

GRUB2 support of encrypted root is limited to LUKS1 and the decryption phase is taking a long time.

See → [root tip] [How To] Use Calamares to install encrypted root using unencrypted boot

You can install using LUKS2 but it is a manual operation and requires the use of systemd-boot or using unified kernel image for direct efi boot.

See → [root tip] [Utility Script] Encrypted Manjaro Linux using Verified Boot

Other resources

https://root.nix.dk/en/manjaro-cli-install/encrypted-cli-installation
https://root.nix.dk/en/manjaro-cli-install/systemd-boot-luks-ext4
systemd-boot - LUKS - btrfs | root.nix.dk

3 Likes

Oh well, it’s all because of GRUB only.
Doesn’t Manjaro Calamares let users choose a different bootloader?

My default bootloader is Limine with Secure Boot and snapshots on my notebook since I already got rid of GRUB a while ago.

That’s what made me think I should make a backup first before upgrading to LUKS2.

AFAIK: No

It’s a manual process, just like what you did to now have Limine as your boot loader, apparently.

I don’t know that one, and have only ever read about secure boot, but never actually implemented it.

I did partly manual installations with unencrypted /boot and LUKS2 encrypted / and all the rest.
Years ago already.
With Grub and systemd-boot as well.
Never used Limine - don’t know it.

1 Like

You can manually convert it to LUKS2. This only changes its LUKS header format without modifying the underlying filesystem encryption.
This is probably more safe and reliable than converting old encryption to another encryption where your data is stored.

The LUKS header is NOT the data encryption.

The encryption algorithm and existing filesystem remain unchanged and compatible, as LUKS2 supports the weaker encryption algorithm (PBKDF2) from LUKS1.

If you’re worried about security in your case, consider converting from PBKDF2 to strong Argon2id.
However, be aware that a power failure during the conversion process could potentially lead to data loss.

2 Likes

I note that you have asked about the general topic of LUKS2 previously. Adding a link for reference;

https://forum.manjaro.org/t/which-btrfs-layout-do-you-use-and-why/172504/8?u=soundofthunder

I made a backup and completed the manual conversion of LUKS1 to LUKS2 in chroot, following Arch Wiki. The conversion time was quick.

I enabled the discard option in the LUKS2 setting, and fstrim works fine as expected. Thank you!

I see, thank you.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.